The changes won’t come quickly, as I note in my op-ed in today’s Wall Street Journal. At four select airports beginning this fall, “trusted travelers” — elite-level members of American and Delta Airlines’ frequent flier programs — will be able this fall to skip some of the sillier security protocols. The airlines know who they are, the thinking goes, and they travel constantly. So the chances that one of them is carrying a bomb are vanishingly small. Some travelers may keep their shoes on; others may not have to remove their laptops from their cases. If it goes well, the pilot project will expand beyond Atlanta, Detroit, Miami and Dallas-Fort Worth, and include more airlines.

The thing to watch here is whether some well meaning fools derail this nascent common sense move by calling it "unfair".

The hack, which affects only Twitter.com and not third-party clients, works by putting a piece of JavaScript code ('onmouseover') into a URL in a tweet. This causes a pop-up message to emerge when someone hovers a cursor over that link. The loophole appears to work in both the redesigned Twitter web interface that was launched on Wednesday and the previous version

The problem has been dealt with, according to Twitter - but boy, that's an embarrassing launch "oops" for them.

Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware. An internal report issued by the airline revealed the infected computer failed to detect three technical problems with the aircraft, which if detected, may have prevented the plane from taking off, according to reports in the Spanish newspaper, El Pais. Flight 5022 crashed just after takeoff from Madrid-Barajas International Airport two years ago today, killing 154 and leaving only 18 survivors.

Microsoft is rushing out a patch for a really nasty bug - one that targets link files and desktop shortcuts. It can be triggered via documents, file browsing, and apparently, web browsing. So: Microsoft is rushing out a patch:

The company said it is satisfied with the quality of the "out-of-band" update -- Microsoft's term for a patch that falls outside the usual monthly delivery schedule -- but also acknowledged that it has tracked an upswing in attacks.

I could feel smug on my mac, but I think I'm with Steve Gibson on this one - he said on the last "Security Now" podcast that Mac OS and Linux likely have equally bad flaws lying around, it's just that the installed base isn't big enough to warrant a search by the bad actors. Security by obscurity, I guess :)

Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.

To be honest, I'm surprised that Doctorow got tripped up by the "Is this you" Twitter/Facebook thing though - that's a pretty well known attack. On the other hand, we all click on stuff without thinking too deeply about it, and url shorteners are a very useful attack vector.

McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access.

Apparently, it thinks svchost.exe is bad, and blows it away. Oops. On a positive note, a machine that endlessly reboots is pretty safe from viruses :)

Update: This is about as bad as it could get - since affected machines won't boot up with network support, they have to be fixed by hand (i.e., no automated fix from McAfee is possible):

Amrit Williams, CTO of security management system company Big Fix, told USA Today that there's no way to automate the process of fixing affected computers. Every machine will need to be repaired individually, he said, noting the process could take days or weeks.

The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows. The newest version with bare-bones capabilities starts at $4,000 and additional features can fetch as much as $10,000. The new feature is designed to prevent what Microsoft refers to as "casual copying" by ensuring that only one computer can run a licensed version of the program. After it is installed, users must obtain a key that's good for just that one machine.

Just when I think things can't get weirder, I run across stuff like this.

If you've bought the Energizer DUO USB battery charger, you might want to uninstall the software immediately. Why? Because it comes pre-loaded with a backdoor that can let someone remotely access your computer.

This is the scariest kind of security problem, because you tend to default to trusting software that comes from a reputable vendor.

At any given moment, it - and therefore your carrier - knows within a few feet exactly where you're standing. It knows when you're stationary or walking - and the direction you're heading. It knows who you stood next to on the transit bus, that you walked through Washington Square today when a political rally took place.

Mind you, Daemon is fiction - but many things could be done with the reams of location/activity data the typical smartphone has access to, and not all of them are good...